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Abstract 



Almost all of the most successful quantum algorithms discovered to date exploit the ability of the 
Fourier transform to recover subgroup structure of functions, especially periodicity. The fact that Fourier 
transforms can also be used to capture shift structure has received far less attention in the context of 
quantum computation. 

In this paper, we present three examples of "unknown shift" problems that can be solved efficiently 
on a quantum computer using the quantum Fourier transform. We also define the hidden coset problem, 
which generalizes the hidden shift problem and the hidden subgroup problem. This framework provides 
a unified way of viewing the ability of the Fourier transform to capture subgroup and shift structure. 

1 Introduction 

The first problem to demonstrate a supcrpolynomial separation between random and quantum polynomial 
time was the Recursive Fourier Sampling problem . Exponential separations were subsequently discovered 
by Simón p^ j , who gave an oracle problem, and by Shor ]3Ï[ | , who found polynomial time quantum algorithms 
for factoring and discrete log. We now understand that the natural generalization of Simon's problem and 
the factoring and discrete log problems is the hidden subgroup problem (HSP), and that when the underlying 
group is Abelian and finitely generated, we can solve the HSP efficiently on a quantum computer. Whilc 
recent results have continued to study important generalizations of the HSP (for example, [^, |2^, |Ï9[ |34|, 
p5| , only the Recursive Fourier Sampling problem remains outside the HSP framework. 

In this paper, we give quantum algorithms for several hidden shift problems. In a hidden shift problem 
we are given two functions /, g such that there is a shift s for which f(x) = g(x + s) for all x. The problem 
is then to find s. We show how to solve this problem for several classes of functions, but perhaps the most 
interesting example is the shifted Legendre symbol problem, where g is the Legendre symbolQ with respect 
to a prime size finite field, and the problem is then: "Given the function f(x) — as an oracle, find s" . 

The oracle problem our algorithms solve can be viewed as the problem of predicting a pseudo-random 
function /. Such tasks play an important role in cryptography and have been studied extensively under vari- 
ous assumptions about how one is allowed to query the function (nonadaptive versus adaptive, deterministic 
versus randomized, et cetera) |2^]. In this paper we consider the case where the function is queried in a 
quantum mcchanical superposition of different vàlues x. We show that if f{x) is an s-shifted multiplicative 
character x( x + s), then a polynomial-time quantum algorithm making such queries can determine the hidden 
shift s, breaking the pseudo-randomness of /. We conjecture that classically the shifted Legendre symbol 
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is a pseudo-random function, that is, it is impossible to efficiently predict the value of the function after a 
polynomial number of queries if one is only allowed a classical algorithm with oracle access to /. Partial 
evidence for this conjecture has been given by Damgàrd jïq ] who proposed the related task: "Given a part 
of the Legendre sequence (^), (^p), ■ • ■ , where l is O(logp), predict the next value ( s+ + ) " , as a hard 

problem with applications in cryptography. 

Using the quantum algorithms presented in this paper, we can break certain algebraically homomorphic 
cryptosystems by a reduction to the shifted Legendre symbol problem. The best known classical algorithm || 
for breaking these cryptosystems is subexponential and is based on a smoothness assumption. These cryp- 
tosystems can also be broken by Shor's algorithm for period finding, but the two attacks on the cryptosystems 
appear to use completely different ideas. 

Whilc current quantum algorithms solve problems based on an underlying group and the Fourier trans- 
form over that group, we initiate the study of problems where there is an underlying ring or field. The 
Fourier transform over the additive group of the ring is defined using the characters of the additive group, 
the additive characters of the ring. Similarly, the multiplicative group of units induces multiplicative char- 



acters of the ring. The interplay between additive and multiplicative characters is well understood 28 p3| , 
and we show that this connection can be exploited in quantum algorithms. In particular, we put a multi- 
plicative character into the phase of the registers and compute the Fourier transform over the additive group. 
The resulting phases are the inner products between the multiplicative character and each of the additive 
characters, a Gauss sum. We hope the new tools presented here will lead to other quantum algorithms. 
We give algorithms for three types of hidden shift problems: 

In the first problem, g is a multiplicative character of a finite field. Given /, a shifted version of g, the 
shift is uniquely determined from / and g. An example of a multiplicative character of Z/pZ is the Legendre 
symbol. Our algorithm uses the Fourier transform over the additive group of a finite field. 

In the second problem, g is a multiplicative character of the ring TLjnL. This problem has the feature 
that the shift is not uniquely determined by / and g and our algorithm identifies all possible shifts. An 
example of a multiplicative character of Z/nZ is the Jacobi symbol^. 

In the third problem we have the same setup as in the second problem with the additional twist that n 
is unknown. 

We also define the hidden coset problem, which is a generalization of the hidden shift problem and the 
hidden subgroup problem. This definition provides a unified way of viewing the quantum Fourier transform's 
ability to capture subgroup and shift structure. 

Some of our hidden shift problems can be reduced to the HSP, although efncient algorithms for these 
HSP instances are not known. Assuming Conjecturo 2.1 from ||, the shifted Legendre symbol problem over 
Z/pZ can be reduced to an instance of the HSP over the dihedral group D p — Z/pZ x Z/2Z in the following 
way. Let f(x, 0) = ((£), (2±1), . . . , (^)) and f(x, 1) = ( (ï±í) , , . . . , (^)), where s is unknown 

and £ > 21og 2 p. Then the hidden subgroup is H = {(0, 0), (s, 1)}. This conjecture is necessary to ensure 
that / will be distinct on distinct cosets of H . For the general shifted multiplicative character problem, the 
analogous reduction to the HSP may fail because / may not be distinct on distinct cosets. However, we can 
efficiently gcnerate random cosct states, that is, superpositions of the form \x, 0) + \x + s, 1), although it is 
unknown how to use these to efficiently find s |ï(|. The issue of nondistinctness on cosets in the HSP has 
been studied for some groups [|[ [H], [Ï8| |. 

The existence of a timc efficient quantum algorithm for the shifted Legendre symbol problem was posed 
as an open question in flÏ2| . The Fourier transform over the additive group of a finite field was independently 
proposed for the solution of a different problem in [Q . The current paper subsumes |p| and [ 24| . Building 
on the ideas in this paper, a quantum algorithm for estimating Gauss sums is described in [^4 . 

This paper is organized as follows. Section ^ contains some definitions and facts. In Section |^, we give 
some intuition for the ideas behind the algorithms. In Section ^, we present an algorithm for the shifted 
multiplicative problem over finite fields, of which the shifted Legendre symbol problem is a special case, and 
show how we can use this algorithm to break certain algebraically homomorphic cryptosystems. In Section^, 
we extend our algorithm to the shifted multiplicative problem over rings Z/nZ. This has the feature that 
unlike in the case of the finite field, the possible shifts may not be unique. We then show that this algorithm 

2 The Jacobi symbol fè) is defined so that it satisfies the relation (^) = (^) (^) and reduces to the Legendre symbol when 
the lower parameter is prime. 
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can be extended to the situation where n is unknown. In Section g, we show that all these problems lie 
within thc general framework of the hidden coset problem. We give an efficient algorithm for the hidden 
coset problem provided g satisfies certain conditions. We also show how our algorithm can be interpreted as 
solving a deconvolution problem using Fourier transforms. 



2 Background 

2.1 Notation and Conventions 

We use the following notation: Lü n is the nth root of unity exp(27ri/n), and / denotes the Fourier transform 
of the function /. An algorithm computing in ¥ q , ïjnL or G runs in polynomial time if it runs in time 
polynomial in logg, logn or log|G|. 

In a ring Z/nZ or a field F„, additive characters ip (Z/nZ — > C* or ¥ q — > C*) are characters of the 
additive group, that is, ip(x + y) = i/j(x)ip(y), and multiplicative characters x ((Z/nZ)* — > C* or F* — > C*) 
are characters of the multiplicative group of units, that is, x( x u) = x( x )x(y) f° r au x an d V- We extend 
the definition of a multiplicative character to the entire ring or field by assigning the value zero to elements 
outside the unit group. All nonzero %{x) vàlues have unit norm and so = x( x )- 

We ignore the normalization term in front of a superposition unless we need to explicitly calculate the 
probability of measuring a particular value. 

2.2 Computing Superpositions 

We will need to compute the superposition ^2 f(x)\x) where f{x) is in the amplitude. 

Lemma 1 (Computing Superpositions) Let f : G — > C be a complex-valued function defined on the set 
G such that f(x) has unit magnitude whenever f(x) is nonzero. Then there is an efficient algorithm for 
creating the superposition J2 X f{x)\x) with success probability equal to the fraction of x such that f(x) is 
nonzero and that uses only two queries to the function f . 

Proof: Start with the superposition over all x, ^ x \x). Compute f{x) into the second register and measure 
to see whether f(x) is nonzero. This succeeds with probability equal to the fraction of x such that f{x) is 
nonzero. Then we are left with a superposition over all x such that f(x) is nonzero. Compute the phase of 
f(x) into the phase of \x). This phase computation can be approximated arbitrarily closely by approximat- 
ing the phase of f(x) to the nearest 2"th root of unity for sufficiently large n. Use a second query to / to 
reversibly uncompute the f{x) from the second register. ■ 



2.3 Approximate Fourier Sampling 

It is not known how to efficiently compute thc quant um Fourier transform over Z/nZ exactly. However, 
efficient approximations are known |2(|]27], |2~ÏJ| . We can even compute an efficient approximation to the 
distribution induced when n is unknown as long as we have an upper bound on n pï|| . We will nee d to 



approximately Fourier sample to solve the unknown n case of the shifted character problem in Section 5.2 



To Fourier sample a state |</>), we form the state |</>) that is the result of repeating |0) many times. We 
then Fourier sample from \(j>} and use continued fractions to reduce the expanded range of vàlues. This 
expansion into \<fi) allows us to perforin thc Fourier sampling step over a length from which we can exactly 
Fourier sample. 

More formally, let \(j>) = X)"=o ^x^) be an arbitrary superposition, and "D\^ be the distribution induced 
by Fourier sampling \4>) over Z„. Let the superposition \(f>) — 'Y^^q 4> x mod n\ x ) be \<j>) repeated until some 
arbitrary integer to, not necessarily a múltiple of n. Let T>^ be the distribution induced by Fourier sampling 
\4>) over Z g rather than Z m (where q > m and (f> x = if x > to). Notice that T> w is a distribution on Z„ 
and T>\4.) is a distribution on Z g . 

We can now define the two distributions we will compare. Let 2?^ be the distribution induced on the 
reduced fractions of T> Wl that is, if x is a sample from T> w , we return the fraction x/n in lowest terms. In 
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particular, define T>^(j,k) = T> l ^(jm) if mk = n. Let 2?^ be the distribution induced on fractions from 
sampling T>^ to obtain x, and then using continued fractions to compute the closest approximation to x/q 
with denominator at most n. If m = Ü(^r) and q = íl(^), then \V^f } - < e. 

2.4 Finite Fields 

The elements of a finite field ¥ q (where q = p r for some prime p) can be represented as polynomials in 
F p [X] modulo a degree r irreducible polynomial in F p [X]. In this representation, addition, subtraction, 
multiplication and division can all be performed in 0((logg) 2 ) time Q. 

We will need to compute the Fourier transform over the additive group of a finite field, which is isomorphic 
to (Z/pZ) r . The additive characters are of the form ipy( x ) = wj 1 ^^ , where Tr : ¥ q — ► ¥ p is the trace of the 
finite field Tr(x) = E^o^'' and V e F <? S We 

can efficiently compute the Fourier transform over the 

additive group of a finite field. 

Lemma 2 (Fourier Transform over ¥ q ) The Fourier transform \x) t— > -i= J2 y ew \v) can ^ e a P~ 

proximated to within error e in time polynomial in logq and logl/e. 

Proof: Sec ]Ï3|| . (Independently, the efficiency of this transform was also shown in Qj.) ■ 
For clarity of exposition we assume throughout the rest of the paper that this Fourier transform can be 
performed exactly, as we can make the errors due to the approximation exponentially small with only 
polynomial overhead. 

2.5 Multiplicative Characters and their Fourier Transforms 

The multiplicative group F* of a finite field F g is eyelic. Let g be a generator of F*. Then the multiplicative 
characters of ¥ q are of the form x(d ) = f° r an ^ £ {0, ■ • • > Q — 2} where the q — 1 different multiplicative 
characters are indexed by k £ {0, . . . , q — 2}. The trivial character is the character with k — 0. We can 
extend the definition of x to F ç by defining x(0) = 0. On a quantum computer we can efficiently compute 
x{ x ) because the value is determined by the discrete logarithm log g (x), which can be computed efficiently 
using Shor's algorithm Mj. The Fourier transform of a multiplicative character x of the finite field ¥ q is 

given by x{v) = x(j/)x(l)Ü ü- 

Let n = p™ 1 . . .p™ k be the prime factorization of n. Then by the Chinese Remainder Theorem, (Z/nZ)* = 
(Z/p" H Z)* x • • • x (Z/p™ fc Z)*. Evcry multiplicative character x of Z/nZ can be written as the product 
x( x ) — Xi( x i) ■ ■ -Xk( x k)i where Xi is a multiplicative character oïX/p^ li 'L and Xi = x modp" li . We say x is 
completely nontrivial if each of the Xi is nontrivial. We extend the definition of x to all of Z/nZ by defining 
= if gcd(y, n) ^ 1. The character x is aperiodic on {0, . . . , n — 1} if and only if all its x% factors are 
aperiodic over their respective domains {0, . . . ,p™ í — 1}. We call x a primitive character if it is completely 
nontrivial and aperiodic. Hence, x is primitive if and only if all its Xi terms are primitive. 

It is well known that the Fourier transform of a primitive x 1S x{y) = x(y)x(l)- If X is completely 
nontrivial but periòdic with period £ 7 then its Fourier transform obeys x(y n /^) — X'(j/)x'(l)j where x' is the 
primitive character obtained by restricting x to {0, . . . , £— I}. See the book by Tolimieri et al. for details [ p3| . 

3 Intuition Behind the Algorithms for the Hidden Shift Problem 

We give some intuition for the ideas behind our algorithms for the hidden shift problem. We use the shifted 
Legendre symbol problem as our running example, but the approach works more generally. In the shifted 
Legendre symbol problem we are given a function f s : Z p — > {0,±I} such that f(x) = (^!p)> and are asked 
to find s. The Legendre symbol (-) : F p — * {0, ±1} is the quadratic multiplicative character of F p defined: 
(-) is 1 if x is a square modulo p, —1 if it is not a square, and if x = 0. 

The algorithm starts by putting the function value in the phase to get |/ s ) = ^2 X f s (x)\x) = ^2 X \ x )- 
Assume the functions f z are mutually (near) orthogonal for different z, so that the inner product (f z \f s ) 
approximates the delta function value 5 s (z). Using this assumption, define the (near) unitary matrix C, 
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Figure 1: Circuit for hidden shift problem. Notice how we compute / and g 1 into the phase. 
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Figure 2: Circuit for hidden subgroup problem. Here / is computed into a register. 



where the zth row is |/ z ). Our quantum state |/ s ) is one of the rows, hence C\f s ) = \s). The problem then 
reduces to: how do we efSciently implement C? By definition, C is a circulant matrix {c XíV = c x +i,y+i)- Since 
the Fourier transform matrix diagonalizes a circulant matrix, we can write C = J-(J-~ 1 CJ-)J-~ 1 = J-DJ-^ 1 , 
where D is diagonal. Thus we can implement C if we can implement D. The vector on the diagonal of 
D is the vector T~ 1 \fç l ) = F^^^^x (f)l x )' the inverse Fourier transform of the Legendre symbol. The 
Legendre symbol is an eigenvector of the Fourier transform, so the diagonal matrix contains the vàlues of 
the Legendre symbol times a global constant that can be ignored. Because the Legendre symbol can be 
computed efficicntly classically, it can be computed into the phase, so C can be implcmcntcd cmcicntly. 

In summary, to implement C for the hidden shift problem for the Legendre symbol, compute the Fourier 
transform, compute (-) into the phase at \x), and then compute the Fourier transform again (it is not 
important whether we use T or J 7 ^ 1 ). 

Figure [ÏJshows a circuit diagram outlining the algorithm for the hidden shift problem in general. Contrast 
this with the circuit for the hidden subgroup problem shown in Figure ^. 

4 Shifted Multiplicative Characters of Finite Fields 

In this section we show how to solve the hidden shift problem for any nontrivial multiplicative character of a 
finite ficld. The Fourier transform we use is the Fourier transform over the additive group of the finite field. 

Definition 1 (Shifted Multiplicative Character Problem over Finite Fields) Given a nontrivial 
multiplicative character x of a finite field ¥ q (where q = p r for some prime p), and a function f for which 
there is an s such that f(x) = \{x + s) for all x. Find s. 



Algorithm 1 (Shifted Multiplicative Character Problem over Finite Fields) 
1. Create J2x&f x(x + s)\x). 



2. Compute the Fourier transform to obtain J2 y er SV ^x{y)\y)- 

3. For all y ^ 0, compute xiv) m to the phase to obtain x(l) J2 V £W* 



Tr(-sy) 



\y)- 



4. Compute the inverse Fourier transform and measure the outeome — s. 
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Theorem 1 For any finite field and any nontrivial multiplicative character, Algorithm |^ solves the shifted 
multiplicative character problem over finite fields with probability (1 — 1/q) 2 . 

Proof: 

1. Since x( x ) — only at x — 0, by Lemma [ï] we can create the superposition with probability 1 — 1/q. 

2. By Lemma ^| we can compute the Fourier transform efficiently. The Fourier transform moves the shift ,s 
into the phase as described. 



3. Because x(y) = x(í/)x(l) f° r every nonzero y, the phase change \y) i— > x(u)\y) establishes the required 
transformation. 

4. The amplitude of | — s) is 

■^^/=fJ2ye¥' q LJ p li '' Sy)uj p 1ÍSy) = 7f7=rEyGF* 1 = \/^F' so the probability of measuring -s is 
1 - 1/q. 



4.1 Example: The Legendre Symbol and Homomorphic Encryption 

The Legendre symbol (-) : F p — * {0, ±1} is a quadratic multiplicative character of F p defined: (^) is +1 if x 
is a square modulo p, — 1 if it is not a square, and if x = 0. The quantum algorithm of the previous section 
showed us how we can determine the shift s £ ¥ p given the function f s (x) — (^jp) ■ We now show how this 
algorithm enables us to break schemes for 'algebraically homomorphic encryption'. 

A cryptosystem is algebraically homomorphic if given the encryption of two plaintexts E(x), E(y) with 
x,y € F p , an untrusted party can construct the encryption of the plaintexts E(x+y) and E(xy) in polynomial- 
time. More formally, we have the secret encryption and decryption functions E : ¥ p — ► S and D : S — > ¥ p , 
in combination with the públic add and multiplication transformations A : S 2 — > S and M : S 2 — » S such 
that D{A(E{x),E(y))) = x + y and D(M(E(x), E(y))) = xy for all x,y e F p . We assume that the functions 
E, D, A and M are deterministic. The decryption function may be many-to-one. As a result the encryption 
of a given number can vary depending on how the number is constructed. For example, A(E(A), E(2)) may 
not be equal to M(E(2), E(3)). In addition to the públic A and M functions, we also assume the existence 
of a zero-tester Z : S — > {0, 1}, with Z(E(x)) = if x = 0, and Z{E(x)) = 1 otherwise. 

An algebraically homomorphic cryptosystem is a cryptographic primitive that enables two players to 
perform noninteractive secure function evaluation. It is an open problem whethcr or not such a cryptosystem 
can be constructed. We say we can break such a cryptosystem if, given E(s), we can recover s in time 
polylog(p) with the help of the públic functions A, M and Z. The best known classical attack, due to Boneh 
and Lipton [0] , has expected running time O (exp (c-^/logp log logp) ) for the field ¥ p and is based on a 
smoothness assumption. 

Suppose we are given the ciphertext E(s). Test E(s) using the Z function. If s is not zero, create the 
encryption E[X) via the identity x^ 1 = 1 modp, which holds for all nonzero x. In particular, using E(s) 
and the M function, we can use repeated squaring and compute E(s) p ^ 1 — E(l) in logp steps. 

Clearly, from E(l) and the A function we can construct E{x) for every x £ ¥ p . Then, given such an E(x), 
we can compute f(x) = (^p) in the following way. Add E(s) and E(x), yielding E(x + s), and then compute 
the encrypted (p— l)/2th poweif^of x + s, giving E({^-)). Next, add E(0), E(—l) or E(l) and test if it is an 
encryption of zero, and return 0, 1 or —1 accordingly. Applying this method on a superposition of \x) states, 
we can create (after reversibly uncomputing the garbage of the algorithm) the state -n=f Ylx fs{ x )\ x )- We 
can then recover s by using Algorithm ^. 

Corollary 1 Given an efficient test to decide if a value is an encryption of zero, Algorithm ^ can be used 
to break any algebraically homomorphic encryption system. 

3 The Legendre symbol satisfies [-) = rr^ -1 )/ 2 . 
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We can also break algebraically homomorphic cryptosystems using Shor's discrete log algorithm as follows. 
Suppose g is a generator for F* and that we are given the unknown ciphertext E(g s ). Create the superposition 

\h3:E(g sz+: ')) and then append the state (V'si+j) = J2t ( g + p +t )\t) to the superposition in i,j by the 
procedure described above. Next, uncompute the value E(g sl+:j ), which gives J2i j Kii^si+j)- Rewriting 
this as \i, r — si)\ip r ) and observing that the ip r are almost orthogonal, we see that we can apply the 
methods used in Shor's discrete log algorithm to recover s and thus g s . 

5 Shifted Multiplicat ive Characters of Finite Rings 

In this section we show how to solve the shifted multiplicative character problem for Z/nZ for any completely 
nontrivial multiplicative character of the ring Z/nZ and extend this to the case when n is unknown. Unlike 
in the case for finite fields, the characters may be periòdic. Thus the shift may not be unique. The Fourier 
transform is now the familiar Fourier transform over the additive group Z/nZ. 

5.1 Shifted Multiplicative Characters of Z/nZ for Known n 

Definition 2 (Shifted Multiplicative Character Problem over Z/nZ) Given x, a completely non- 
trivial multiplicative character of Z/nZ, and a function f for which there is an s such that f(x) = x( x + s ) 
for all x. Find all t satisfying f(x) = xi x + t) for all x. 

Multiplicative characters of Z/nZ may be periòdic, so to solve the shifted multiplicative character problem 
we first find the period and then we find the shift. If the period is £ then the possible shifts will be 
{s 1 s + £ 1 s + 2£ 1 ...}. 

Algorithm 2 (Shifted Multiplicative Character Problem over Z/nZ) 

1. Find the period £ of x- Let x' be x restricted to {0, ...,£— 1}. 

(a) Create YZ=o x( x + s )\ x )- 

(b) Compute the Fourier transform over Z/nZ to obtain J2j/=o w i SV x' (y)\íJ n / ^) ■ 

(c) Measure \yn/t). Compute n/í = gcd(n, yn/l). 

2. Find s using the period £ and x' : 

(a) Create EfZoX'tz + s)\x). 

(b) Compute the Fourier transform over Z/£Z to obtain uj^ sy x'(y)\y}- 

(c) For all y coprime to £, x'iv) 1 m t° the phase to obtain Y^y,x'(y)^o ^ï^lv)- 

(d) Compute the inverse Fourier transform and measure. 

Theorem 2 Algorithm || solves the shifted multiplicative character problem over Z/nZ for completely non- 
trivial multiplicative characters ofL/nL in polynomial time with probability at least (^p-) 3 — ^(( \ og i ogn ) 3 ) ■ 

Proof: Note: because x is completely nontrivial, x' is a primitive character of Z/ÍZ. 

1. (a) x(x + s) is nonzero exactly when gcd(a; + s, n) = 1 so by Lemma[ï]we can create the superposition 

with probability 4>{n)/n. 

(b) Since x has period £, the Fourier transform is nonzero only on múltiples of n/£. 

(c) Since x'(y) — x'{y)x'(X)i an d x'{y) is nonzero precisely when gcd(y,n) = 1, when we measure 
ynj £ we have n/£ = gcd(n, yn/£). 

2. (a) Similar to the argument above, we can create the superposition with probability ip(£)/£. 
(b) The Fourier transform moves the shift s into the phase. 
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(c) As in the case for the finite field, this can be done by computing the phasc of x'{y) into the phase 

of \y). 

(d) Let A = {y e Z/£Z : x'iv) ^ 0}. A = (Z/£Z)* so |A| = cf>(£). Then the amplitude of | - s) 
after the Fourier transform is 77=^ (j2 y eA V" w f ) = T/JpyTl (^yeA l) = So the 
probability of measuring | — s) is (f>(£)/£. 

Thus the algorithm succeeds with probability (<fi(n)/n) (<{>(£) /£) 2 > (</>(n)/n) 3 , which in turn is lower bounded 

by ^ ( ( i OEr i olï n ) )■ ^ 



5.2 Shifted Multiplicative Characters of Z/nZ for Unknown n 

We now consider the case when n is unknown. 

Definition 3 (Shifted Multiplicative Character Problem over Z/nZ with Unknown n) 
Given a completely nontrivial multiplicative character x '■ Z/nZ — > C, for sorae unknown n, there is an s 
such thai f(x) = x{ x + s ) f or <M x - Find all t satisfying f(x) = x{ x + i) for all x. 

Theorem 3 Given a lower bound on the size of the period of f , we can efficiently solve the shifted multi- 
plicative character problem over Z/nZ for unknown n on a quantum computer. 

Proof: Let £ be the period of / and x' be x restricted to Z/£Z. Using the Fourier sampling algorithm de- 



scribed in Section 2^2, we can approximately Fourier sample / over Z/£Z. Because x'iv) ' IS nonzero precisely 
when gcd(y, £) — 1, this Fourier sampling algorithm returns yjl with high probability, where y is coprime to 
£. Thus we can find £ with high probability. Next, apply Algorithm || to find s mod £. ■ 



6 The Hidden Coset Problem 

In this section we define the hidden coset problem and give an algorithm for solving the problem for Abelian 
groups under certain conditions. The algorithm consists of two parts, identifying the hidden subgroup and 
finding a coset representative. Finding a coset representative can be interpreted as solving a deconvolution 
problem. 

The algorithms for hidden shift problems and hidden subgroup problems can be viewed as exploiting 
diffcrent facets of the power of the quantum Fourier transform. After computing a Fourier transform, the 
subgroup structure is captured in the magnitude whereas the shift structure is captured in the phasc. In 
the hidden subgroup problem wc mcasurc after computing the Fourier transform and so discard information 
about shifts. Our algorithms for hidden shift problems do additional processing to take advantage of the 
information encoded in the phase. Thus the solution to the hidden coset problem requires fully utilizing the 
abilities of the Fourier transform. 

Definition 4 (Hidden Coset Problem) Given functions f and g defined on a group G such that for 
some s € G, f(x) = g{x + s) for all x in G, find the set of all t satisfying f(x) = g{x + 1) for all x in G. f 
is given as an oracle, and g is known but not necessarily efficiently computable. 

Lemma 3 The answer to the hidden coset problem is a coset of some subgroup H of G, and g is constant 
on cosets of H . 

Proof: Let S = {t E G : f(x) = g(x + t) for all x € G} be the set of all solutions and let H be the 
largest subgroup of G such that g is constant on cosets of H. Clearly this is well defined (note H may be 
the trivial subgroup as in the Shifted Legendre Symbol Problem). Suppose íx,Í2 àte in S. Then we have 
g(x + (-í 2 + íi)) = g((x - t 2 ) + íi) = f(x - t 2 ) = g((x - t 2 ) + t 2 ) = g(x) for all x in G, so -í 2 + t x is in 
H . This shows S is a contained in a coset of H . Since s is in S we must have that S is contained in s + H . 
Conversely, suppose s + h is in s + H (where h is in H). Then g(x + s + h) = g{x + s) = f{x) for all x in 
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G, hence s + h is in S. It follows that S = s + H. Whilc this proof was written with additive notation, it 
carries through if the group is nonabelian. ■ 



6.1 Identifying the Hidden Subgroup 

We start by finding the subgroup H. We give two different algorithms for determining H, the "standard" 
algorithm for the hidden subgroup problem, and the algorithm we used in Section ^. 

In the standard algorithm for the hidden subgroup problem we form a superposition over all inputs, 
compute g{x) into a register, measure the function value, compute the Fourier transform and then samplc. 
The standard algorithm may fail when g is not distinct on different cosets of H. In such cases, we need 
other restrictions on g to be able to find the hidden subgroup H using the standard algorithm. Boneh 
and Lipton Mosca and Ekert |3(|, and Hales and Hallgren |2ÏJ have all given criteria under which the 
standard hidden subgroup algorithm outputs H even when g is not distinct on different cosets of H. 

In Section || we used a different algorithm to determine H because the function we were considering did 
not satisfy the conditions mentioned above. In this algorithm we compute the value of g into the amplitude, 
Fourier transform and then sample, whereas in the standard hidden subgroup algorithm we compute the 
value of g into a register. In general, this algorithm works when the fraction of vàlues for which g is zero is 
sufhciently small and the nonzero vàlues of g have constant magnitude. 

6.2 Finding a Coset Representative as a Deconvolution Problem 

Once we have identified H, we can find a coset representative by solving the associated hidden coset problem 
for /' and g' where /' and g' are defined on the quotient group G/H and are consistent in the natural way 
with / and g. For notational convenience we assume that / and g are defined on G and that H is trivial, 
that is, the shift is uniquely defined. 

The hidden shift problem may be interpreted as a deconvolution problem. In a deconvolution problem, 
we are given functions g and / = g * h (the convolution of g with some unknown function h) and asked 
to find this h. Let 5 y (x) = S(x — y) be the delta function centered at y. In the hidden shift problem, / is 
the convolution of <5_ s and g, that is, / = g*5- s . Finding s, or equivalently finding <5_ s , given / and g, is 
therefore a deconvolution problem. 

Recali that under the Fourier transform convolution becomes pointwise multiplication. Thus, taking 
Fourier transforms, we have / = g ■ 5- s and hence S- s — g^ 1 ■ f provided g is everywhere nonzero. For the 
multiplication by g _1 to be performed efficiently on a quantum computer would require g to have constant 
magnitude and be everywhere nonzero. However, even if only a fraction of the vàlues of g are zero we can 
still approximate division of g by only dividing when g is nonzero and doing nothing otherwise. The zeros 
of g correspond to loss of information about 5- s . 

Algorithm 3 

1. Create ExeG^O + s)\x). 

2. Compute the Fourier transform to obtain ^ v& Q , 4'y{s)g{ipy)\y) , where ip y are the characters of the 
group G. 

3. For all ip y for which g(ip y ) is nonzero compute gi^y) -1 into the phase to obtain ^ ip y {s)\y}. 

4. Compute the inverse Fourier transform and measure to obtain — s. 

Theorem 4 Suppose f and g are efficiently computable, the magnitude of f(x) is constant for all vàlues of 
x in G for which f(x) is nonzero, and the magnitude of g(tpy) is constant for all vàlues ofip y in G for which 
g(ipy) is nonzero. Let a be the fraction of x in G for which f(x) is nonzero and (3 be the fraction of tp y in 
G for which g(tp y ) is nonzero. Then the above algorithm outputs —s with probability a(3. 

Proof: 
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1. By Lemma |l| we can create the superposition with probability a. 

2. The Fourier transform moves the shift s into the phase. 

3. Because g has constant magnitude, for vàlues where g is nonzero, giipy)^ 1 = Cg(ip y ) for some constant 
C . So we can perforin this step by computing the phase of g into the phase. For the vàlues where g is 
zero we can just leave the phase unchanged as those terms are not present in the superposition. 

4. Let A = {y e G : g(t/j y ) ^ 0}. Thcn the amplitude of | - s) is 



so we measure | — s) with probability [3. 
Thus the algorithm succeeds in identifying s with probability a[3 and only requires one query of / and one 



6.3 Examples 

We show how the hidden shift problems we considered earlier fit into the framework of the hidden coset 
problem. In the shifted multiplicative character problem over finite fields, G is the additive group of ¥ q , 
g = x an d H is trivial since the shift is unique for nontrivial x- I n the shifted multiplicative character 
problem over Z/nZ, G is the additive group of Z/nZ, g = x aim H is the subgroup {0, £, . . . , n/i}, where i 
(which is a factor of n) is the period of \. In the shifted period multiplicative character problem over Z/nZ 
for unknown n, G is the additive group of Z, g = x and H is the infinite subgroup 17L. 
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